Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Cisco Switch 9x00 inegration 802.1x with Clearpass

This thread has been viewed 37 times
  • 1.  Cisco Switch 9x00 inegration 802.1x with Clearpass

    Posted Apr 03, 2023 10:14 AM

    Hi All
    hope you are ok

    I need to configure and by that integrate Cisco  new switches 9000 series 802.1x with Clearpass

    Is this a good begin to check this?

    https://www.arubanetworks.com/techdocs/ClearPass/6.9/Aruba_DeployGd_HTML/Content/Cisco%20Switch/Intro_Cisco_Switch.htm


    any more thoughts on this?

    Regards



  • 2.  RE: Cisco Switch 9x00 inegration 802.1x with Clearpass

    Posted Apr 03, 2023 10:24 AM

    Hi

    I work with a customer who is running ClearPass as Radius server for the Cisco switches they have.
    They have had IP phones and computers connected to the phones. In this setup Cisco does not recommend to use Downloadable ACLs . But without the need for multiple clients on the same switch port it shouldn't be an issue.
    I'm not working with the switches for this customer only ClearPass, but it's nothing special you need to do to get it working from the ClearPass side.
    Switch configuration is also straight forward.

    Depending on you intentions you may need to enable the Cisco Radius VSA in ClearPass.

    The linked documentation may be a good starting point, or the Wired enforcement guide:
    https://asp.arubanetworks.com/downloads/documents/RmlsZTpmMDY3Y2UwYS1lNmZiLTExZWEtYjFjMi0zYmZjN2Y0MzMxNDI%3D



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------



  • 3.  RE: Cisco Switch 9x00 inegration 802.1x with Clearpass

    Posted Apr 03, 2023 11:05 AM

    ClearPass also supports Cisco Device Sensor for Wired profiling.  




  • 4.  RE: Cisco Switch 9x00 inegration 802.1x with Clearpass

    Posted Apr 03, 2023 11:07 AM

    One thing I did to make the policy a bit more flexible on our Cisco switch deployments is to use the vlan name instead of vlan number in the Vlan-Private-Group-ID attribute.  We are pretty brownfield as far as some of our campus vlan numbers, but we do consistently have a "users" and "voice" vlan everywhere, even if they're not the same number.  It's case sensitive, and obviously per-switch so every used switch VLAN database entry for the name needs to be consistent.




  • 5.  RE: Cisco Switch 9x00 inegration 802.1x with Clearpass

    Posted Apr 03, 2023 11:14 AM

    It's really not best practice to use VLAN change though, especially for headless/IOT devices authorized via MAB.  dACLs should really be leveraged instead of VLAN changes.  




  • 6.  RE: Cisco Switch 9x00 inegration 802.1x with Clearpass

    Posted Apr 28, 2023 02:55 PM

    I would recommend to check "How to configure IBNS 2.0" because it can get tricky.

    If you have access to https://ase.arubanetworks.com/  it is very helpful as well.

    We had a huge integration with C9000 and 1000 series and it is very tricky to get things going on multi-type of equipment environment, especially if you have unmanaged switches sitting behind or VoIP Phones and PC behind them.

    As a good step is also to check Cisco C9000/C1000 IBNS 2.0 integration with Cisco ISE. Usually same configs work with Clearpass integration as well.



    ------------------------------
    Shpat | ACEP | ACMP | ACCP | ACDP |
    -Just an Aruba enthusiast and contributor by cases-
    ------------------------------



  • 7.  RE: Cisco Switch 9x00 inegration 802.1x with Clearpass

    Posted May 08, 2023 07:11 AM

    Hello,
    I have a bunche of 9200L and 3560CX with IBNS2 configured. And we use the multi-auth option to be able to handle phone, PC, and unmanaged switch. The only draw back is that the switch need to avoid sending BDU on the port, and it will allow use to managed only 1 data VLAN, and the voice vlan. And no ACL, so the documentation is a good start, but avoid the ACL, the rule should be allowed to connect, or not, KISS method!